Two Cathedrals: Cloudsmith + GitHub

Before GitHub, everyone struggled to manage SVN (the “cool kid” at the time, pre-git), CVS, VSS, or, for the genuinely arcane, RCS. As a developer, there was trepidation with every check-in, hoping that nothing went wrong. Back then, source code management was held within a proverbial black box on some server you had to maintain, probably stuck under a colleague's desk in the corner.

Then, in 2008, GitHub emerged with a fully managed SaaS offering that gave developers and their teams visibility, control, and management.

Even before Cloudsmith was formed, Lee and I adopted GitHub in 2012. This was our first opportunity to move away from this insane black box, on-prem legacy so we could concentrate on the things that mattered. We never looked back.

Today, GitHub stores most of the world’s source code, both private and open source. Over the years, it has expanded its core functionality to include GitHub Actions and a limited Package Registry, among other enhancements.

Expanding Control with Cloudsmith

Cloudsmith was built to solve the same challenges of visibility, control, and management but for the software supply chain and secure delivery, including binaries, artifacts, packages, and containers. In much the same way, it brings a fully managed SaaS offering to store most of the world’s packaged code, both private and open source.

Our primary goal was to help developers and operations remove the need for an artifact registry on a legacy black box on a server you had to maintain or even think about deeply. Instead, we provided the single source of the truth for all artifacts in a fully managed cloud-native platform leveraging all of the cloud’s positive attributes, including reduced infrastructure costs and the best scalability and performance, all at the click of a button, just like GitHub.

Today, Cloudsmith proudly sits beside GitHub in our customers' tech stacks, showcasing our commitment to “works well with others” and ensuring our customers have what they need to build secure and performant pipelines, distributing source and packaged code when and where it is required, whether internally consumed, or delivered across the world.

Empowering Smarter, Safer Choices

With the advent of popularized Gen AI, there is now more than ever a wealth of data, with new ways to consume and query it. It’s an obvious next step to share that knowledge created by deep developer-interactive tooling like GitHub and lean into the knowledge Cloudsmith is capturing about the security and provenance of both open-source and closed-source software.

That’s why we launched Cloudsmith Navigator last year, to surface curated provenance information about open-source packages, powered in part by GitHub’s history of the source code. Navigator offers a glimpse into the nature of the holistic knowledge we have access to, and it’s this knowledge that forms the foundations of additional risk-based policies and controls.

A wise wizard once told me (okay, it was last weekend), “[it’s important] to bring more of the developer tools in the place where they already work.” In other words, you want to build a bridge towards existing tooling and make it easy for others to integrate rather than being isolationist and building all-in-one platforms that are anti-competitive. It makes sense to achieve genuinely “works well with others” and fits into our strategic thinking and positioning for Cloudsmith.

We believe it will take a village of partnerships, with at least two cathedrals (GitHub and Cloudsmith 🙂), to put the best guardrails in place to minimize the risks of open-source and closed-source software.  That means continuing to partner with companies that share our cooperative mission to secure software delivery, like our friends at Docker, CircleCI, Stacklok, Chainguard, and GitHub.

Watch this space.

Related Resources

• How to Integrate Cloudsmith with GitHub Actions
• Using GitHub Actions to Push Packages to Cloudsmith